Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the threat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method of scanning archive files, the method comprising: receiving, by an anti-virus detection module running on a computer system, a damaged or incomplete RAR, CAB or ZIP archive file; and without decrypting and without decompressing contents of the damaged or incomplete RAR, CAB or ZIP archive file: identifying, by the anti-virus detection module, the damaged or incomplete RAR, CAB or ZIP archive file as a RAR, CAB or ZIP archive file by assuming each of a plurality of possible archive file types in turn and searching all of or certain parts of the damaged or incomplete RAR, CAB or ZIP archive file for content consistent with a current archive file type; based on the identified type and the associated structure, for each of a plurality of contained files within the damaged or incomplete archive file, extracting descriptive information from a corresponding local file header stored within the damaged or incomplete archive file; performing a threat evaluation of the contained file by comparing the descriptive information to signatures of known malicious or undesired computer files; and if the threat evaluation concludes the contained file is a threat, then performing appropriate defensive actions in relation to the RAR, CAB or ZIP archive file; whereby despite the RAR, CAB or ZIP archive file being damaged or incomplete all files contained therein are subjected to a threat evaluation.
2. The method of claim 1 , wherein said identifying, said extracting and said performing a threat evaluation are performed in real-time and the damaged or incomplete RAR, CAB or ZIP archive file is an attachment of an email message.
3. The method of claim 1 , wherein the contained file is one or more of encrypted, password-protected and compressed.
4. The method of claim 1 , wherein a type, form or amount of the descriptive information varies for a plurality of different types of archive file formats.
5. The method of claim 4 , wherein the descriptive information is comprised essentially of a hash value of the contained file in uncompressed format.
6. The method of claim 4 , wherein, for a first archive file type of the plurality of different types of archive files, the descriptive information includes a hash value of the contained file in uncompressed format and a size of the contained file in uncompressed format.
7. The method of claim 6 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes a hash value of the contained file in compressed format and a size of the contained file in compressed format.
8. The method of claim 6 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes the hash value of the contained file in uncompressed format, the size of the contained file in uncompressed format, a size of the contained file in compressed format and a size of the contained file in compressed format.
9. The method of claim 6 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes a size of the contained file in compressed format, the size of the contained file in uncompressed format and a compression type.
10. The method of claim 6 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes a digital signature and a size of the contained file in compressed format.
11. The method of claim 6 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes the hash value of the contained file in uncompressed format, the size of the contained file in uncompressed format, a size of the contained file in compressed format and a file name of the contained file.
12. A computer-implemented method of scanning archive files, the method comprising: receiving, by an anti-virus detection module running on a computer system, a damaged or incomplete RAR, CAB or ZIP archive file; and without decrypting and without decompressing contents of the damaged or incomplete RAR, CAB or ZIP archive file: identifying, by the anti-virus detection module, the damaged or incomplete RAR, CAB or ZIP archive file as a RAR, CAB or ZIP archive file by assuming each of a plurality of possible archive file types in turn and searching all of or certain parts of the damaged or incomplete RAR, CAB or ZIP archive file for content consistent with a current archive file type; performing a threat evaluation for each of a plurality of contained files within the damaged or incomplete archive, wherein based on the identified type and the associated structure, for at least one of the plurality of contained files within the damaged or incomplete archive file said performing a threat evaluation involves, extracting descriptive information from a corresponding local file header stored within the damaged or incomplete archive file; comparing the descriptive information to signatures of known malicious or undesired computer files; and if the threat evaluation concludes the contained file is a threat, then performing appropriate defensive actions in relation to the RAR, CAB or ZIP archive file.
13. The method of claim 12 , wherein said identifying, said extracting and said performing a threat evaluation are performed in real-time and the damaged or incomplete RAR, CAB or ZIP archive file is an attachment of an email message.
14. The method of claim 12 , wherein the contained file is one or more of encrypted, password-protected and compressed.
15. The method of claim 12 , wherein a type, form or amount of the descriptive information varies for a plurality of different types of archive file formats.
16. The method of claim 15 , wherein the descriptive information is comprised essentially of a hash value of the contained file in uncompressed format.
17. The method of claim 15 , wherein, for a first archive file type of the plurality of different types of archive files, the descriptive information includes a hash value of the contained file in uncompressed format and a size of the contained file in uncompressed format.
18. The method of claim 17 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes a hash value of the contained file in compressed format and a size of the contained file in compressed format.
19. The method of claim 17 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes the hash value of the contained file in uncompressed format, the size of the contained file in uncompressed format, a size of the contained file in compressed format and a size of the contained file in compressed format.
20. The method of claim 17 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes a size of the contained file in compressed format, the size of the contained file in uncompressed format and a compression type.
21. The method of claim 17 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes a digital signature and a size of the contained file in compressed format.
22. The method of claim 17 , wherein, for a second archive file type of the plurality of different types of archive files, the descriptive information includes the hash value of the contained file in uncompressed format, the size of the contained file in uncompressed format, a size of the contained file in compressed format and a file name of the contained file.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 6, 2010
April 24, 2012
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.